Technical Field
The present invention relates generally to security and, in particular, to a secure policy audit in a shared enforcement environment.
Description of the Related Art
Policy is by definition a principle or protocol to guide decisions and achieve rational outcomes. Applied to systems, policy would seem to require the ability to be enforced, and the ability to be audited. Enforcement is the simple enactment of an action based on a policy. Audit is simply the verification that a particular policy was enacted. The verification, or audit of an action has two potential outcomes. One reflects a positive outcome, that is, that the policy was indeed enacted. The other is that there was a failure to enact a given policy, that a result other than expected was achieved. In systems that include a number of components, more than two or more system components may have the ability to enact or enforce specific system policy, in that they control the same kind of actions, though at different parts of the systems work flow. It is useful in such cases to be able to define the action represented by a policy statement once, and then allow the implementer to assign the policy to the appropriate enforcement point. For reasons of system efficiency, it may be useful to assign the same policy to multiple enforcement points in such a way that the combination of each enforcement point's action results in fulfillment of the policy, but where each individually only fulfills a part of the total.